Help to check if there's a backdoor in my program

Status
Not open for further replies.
noob404

noob404

New Member
Thread author
Jul 25, 2020
4
3
2
India
Hey, I made a software with Visual Studio and used Bat to Exe Converter to convert certain batch files. But, a guy on a webstie claims to have found a backdoor in it. Is there a way to check if it's actually true. The program files gets detected as a virus on VirusTotal. But, I learned here that Bat to Exe converted files are usually detected as false positives. Can you help me find if there's indeed a backdoor or something serious? I have uploaded the files here.
I am unable to upload the files here. Is there something I could do to check?
 
Hello noob404,

I am Karsten and will gladly help you with any malware-related problems.

VirusTotal Upload
  • Please go to VirusTotal.com.
  • Click Choose File and locate your file in question
  • It may ask you for confirmation. If it does, click Confirm upload.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply
 
  • Like
Reactions: noob404 and oldschool
Thank you. From your description these files should be clean unless you have a file infector on the system. The detections do not indicate a file infector. The number of detections on those files is still higher than I would expect from a clean file. So I assume they have some characteristic that make them seem suspicous. What did you do with resource hacker?

Since it is already late here, I will analyse the files tomorrow morning and get back to you with my result.

What you can do in the meantime is submitting those files as false positives to the security vendors who detect them.
And if this is an important project or program that others shall use, you might consider signing the final product because this will make false positives less likely.
 
  • Like
Reactions: noob404, Gandalf_The_Grey and oldschool
struppigel said:
Thank you. From your description these files should be clean unless you have a file infector on the system. The detections do not indicate a file infector. The number of detections on those files is still higher than I would expect from a clean file. So I assume they have some characteristic that make them seem suspicous. What did you do with resource hacker?

Since it is already late here, I will analyse the files tomorrow morning and get back to you with my result.

What you can do in the meantime is submitting those files as false positives to the security vendors who detect them.
And if this is an important project or program that others shall use, you might consider signing the final product because this will make false positives less likely.
Click to expand...

Thank you for the update. I used Resource Hacker to add an icon, change the version number and the name of the project since I had saved it by its default name - WinFormsApp on VS.
 
Hi noob404,

I have analysed your files. Your files are clean, given that your website is fine (I didn't analyse the website).

Regarding the Batch files: Yes, I'd assume that's due to the Batch2Exe wrapper. I don't see anything else that's odd.

Regarding the .NET file. It has some odd characteristics that might contribute to the detections.

Firstly, the debugger timestamp (year 2061) and the COFF Header time stamp (year 2094) are in the future. You can see that if you download PEStudio and put your file into it. I don't know how this happened but it's weird.

Secondly, the default project name WindowsFormsApp1 may cause automated analysis systems and AI based detection systems to assume that your file is suspicious. There are lots of small downloaders and crappy malware using those default names whereas legitimate software usually has proper names. The default name together with references to a website and a call to cmd.exe make it very similar to a malware downloader.

Third, the icon and version info modification is probably not without issues. With my version (5.1.7) of Resource Hacker, I cannot see the icon, although it shows on Windows. So I guess the way the icon is modified is not quite standard and causes some anomalies. Changing icons afterwards instead of doing that in Visual Studio is unusual for legitimate software, so it might be used as clue that the file is suspicious.

This is just out of my experience. In the end I don't know what exactly those AVs deem as suspicious or malicious.

Do you have any questions?
 
  • Like
  • +Reputation
Reactions: upnorth, noob404 and Gandalf_The_Grey
This issue seems to be resolved. So I am closing this thread.
If there is anything else regarding these files you can DM me to reopen it. :)
 
  • Like
Reactions: upnorth
Status
Not open for further replies.

You may also like...